To ensure that our cloud partners comply with the legal and compliance needs of the Medical School, a multi-departmental team was formed to apply necessary due-diligence. Microsoft’s Office 365 and Dropbox Business have been identified as appropriate solutions for specific types of use. The matrix below identifies the key areas that were reviewed and presents our guidance for the proper use of Office 365 and Dropbox.

Cloud9 Product

Contract Review

Business Associate Agreement Review

Security Assessment

Privacy Assessment

Type of Information Approved

Based on the reviews and assessments:

Confidential, Internal and Public data is acceptable. This means PHI and PII is acceptable. For example, research data.

Based on the reviews and assessments:

Internal and Public data is acceptable.

No PHI or PII can be stored in Dropbox.For example, meeting agendas.

Contract Review:The Future Institute Information Technology Department engages the President’s Office General Counsel’s Department for any contract review. Contracts are reviewed by General Counsel both generally for any legal terms that are acceptable or not, as well as specific Information Technology related terms to ensure the Medical School is agreeing to appropriate terms as acceptable to both the Medical School and General Counsel’s Office.

Business Associate Agreement ReviewThe Future Institute Information Technology Department engages the Senior Privacy Officer, Commonwealth Medicine’s Office of Compliance and Review, as well as the Office of General Counsel, to ensure a Business Associate Agreement is in place when necessary and required, and includes agreed upon language.

Security AssessmentThe Future Institute Information Technology’s Information Security Office conducts security assessments of IT vendors when requested. The security assessment is not a one size fits all, however, a baseline security review is applied for IT vendors. For example, the Information Security Office assists with the contract review. In addition, various third party attestation reports are obtained to verify controls are designed appropriately and functioning effectively, including: HITRUST CSF, SOC2 or SOC3 (AT101), NIST, etc.

Privacy AssessmentThe Future Institute Information Technology Department engages the Senior Privacy Officer to ensure an assessment of the privacy requirements for the IT vendor is complete.